From 7381a280c82e29d7c56fad938175e70b7ef85a9f Mon Sep 17 00:00:00 2001
From: Luke Howard <lukeh@padl.com>
Date: Mon, 3 Jun 2019 11:55:54 +1000
Subject: [PATCH] kdc: check for cname-in-addl-tkt flag in constrained
 delegation

Before accepting an additional ticket for use with constrained delegation,
verify the cname-in-addl-tkt flag was set. If not, ignore the request.
---
 kdc/krb5tgs.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/kdc/krb5tgs.c b/kdc/krb5tgs.c
index 6000ac2c5e..1333ad3bfb 100644
--- a/kdc/krb5tgs.c
+++ b/kdc/krb5tgs.c
@@ -2183,6 +2183,7 @@ tgs_build_reply(krb5_context context,
     if (client != NULL
 	&& b->additional_tickets != NULL
 	&& b->additional_tickets->len != 0
+	&& b->kdc_options.cname_in_addl_tkt
 	&& b->kdc_options.enc_tkt_in_skey == 0)
     {
 	int ad_signedpath = 0;